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We review a quantum key distribution protocol, recently proposed by us, that makes 
use of a two-way quantum channel. We provide a characterization of such a protocol from 
a practical perspective, and consider the most relevant individual-particle eavesdropping 
strategies against it. This allows us to compare its potentialities with those of the standard 
BB84 protocol which uses a one-way quantum channel. 
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I. INTRODUCTION 

Since the seminal works by Bennett and Brassard Q] and by Ekert [2] Quantum Key 
Distribution (QKD) has made impressive progresses [3j, which can be roughly grouped 
into two main categories: on the one side there are theoretical progresses, among which 
the unconditional security of QKD is the most relevant one [4-8 J ; on the other side there 
are experimental progresses, almost exclusively in the field of quantum optics, which re- 
cently led to long-haul and high-rate QKD experiments [9Tll2|. The relevance of these 
advances promoted QKD as the most applicative research of quantum information, and 
also triggered the start-up of companies based on this technology [13] . 

Recent research on QKD is mainly focused on closing the existing gap between the 
perfect theory of the unconditional security proofs and the imperfect application of such 
a theory in the real world. This originated the definition of practical QKD \14\ [T5] which 
deals with the proper modeling of devices like photon sources, light modulators and single- 
photon detectors [TBI El • By consequence, any new proposal relevant to the field of QKD 
can not set aside the practicality issue. This is even truer if one looks at the quantum 
hacking strategies based on practical imperfections recently accomplished by the group of 
Trondheim |18j . 

In this paper we want to characterize from a practical point of view a novel form of 
QKD based on a two-way quantum channel. Two-way channels are already used in QKD 
either in those setups based on a Plug-and-Play configuration [19] or in those using the 
Cascade error correction procedure |20j . However these two examples do not represent 
a two-way quantum channel: in the first case only the backward channel ought to be 
considered quantum; in the second case neither the forward nor the backward channel are 
quantum. 
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The first input to two-way QKD came from Bostrom and Felbinger's Ping-Pong pro- 
tocol [21], where the question of the security of Quantum Dense Coding |22j was posed 
in terms of "deterministic and secure direct communication in presence of entanglement" . 
The Ping-Pong protocol was demonstrated insecure |23l [24] but a revised, more secure, 
version was soon after proposed in [25] (see also [26H28] ) . 

Moving from these initial steps novel two-way schemes without entanglement were 
presented in |29J, in [30j and then by us in [31J. This last scheme, named "LM05", had 
the merit of being more feasible and secure than the protocol in [2T] and it came with the 
first security proof against non-trivial individual-particle attacks. As a matter of fact its 
experimental realization was proposed [32], proved in principle [33] and recently realized 
in the third telecom window [34J. Also, the protocol was generalized to a higher number 
of states [351 [36] an d to higher-dimensional Hilbert spaces [37H39] . 

Despite these improvements, a complete realization of the LM05 still remains an exper- 
imental challenge. The main problem is that in the original protocol both the forward and 
the backward channels are tested by the users to guarantee the security of the protocol. In 
particular the test of the backward channel requires that with a certain probability one of 
the users (Alice) prepares a qubit in exactly the same physical state as the one prepared 
by the other user (Bob) [3T] . This is difficult in practice because all the relevant degrees of 
freedom of the qubit (wavelength, timing, bandwidth, etc.) must be accurately controlled 
by Alice. 

In this work we modify the original LM05 protocol by removing the test of the backward 
channel and show that the resulting protocol is still secure against several single-particle 
attacks by the eavesdropper (Eve). We also provide the state-of-the-art of the so called 
"deterministic QKD" [30] with a two-way quantum channel, together with a set of tools 
which can be used and further improved towards a final security proof of the scheme. 
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Throughout the work we compare our deterministic protocol with the standard non- 
deterministic BB84 [42]. 



II. THE PROTOCOL 



The practical rendering of the LM05 protocol (see Fig{T]) can be obtained from the 
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FIG. 1: Schematics of the practical LM05 protocol. Bob randomly prepares qubits of X and Z 
bases. With probability (1-c) Alice encodes data on the qubits (Encoding Mode, EM) and with 
probability (c) she measures the qubits (Control Mode, CM). Bob measures the returning qubits 
in the same bases they were prepared and finally decodes Alice's information. The noise check on 
the backward path, present in the original protocol |31j . is removed in the present version. 



original protocol [31 1 by removing the test performed by the users on the backward channel. 
Bob prepares a qubit in one of the four states |0), |1) (the Pauli Z eigenstates) , |+), |— ) 
(the Pauli X eigenstates), and sends it to his counterpart Alice. With probability c Alice 
switches to Control Mode (CM) and uses the qubit to test the channel noise or, with 
probability 1 — c, she switches to Encoding Mode (EM) and uses the qubit to encode a 



bit of information. The CM consists in a projective measurement of the qubit along a 
basis randomly chosen between Z and X , in a way equal to the protocol BB84 pQ. In the 
original protocol [31 J this step was followed by the preparation of a new qubit in the same 
state as the outcome of the measurement; however this step is removed from the present 
protocol as it is not practical to implement. In fact, to conceal the chosen modality to 
Eve, Alice should prepare a qubit in exactly the same physical state as the one prepared 
by Bob, i.e. same wavelength, bandwidth, time-width and intensity. This is not possible 
without a sophisticated control of the experimental devices. The lack of a direct test of 
the backward channel thus represents the fundamental difference respect to the protocol 
described in [31J. The EM is a modification of the qubit state according to one of the 
following transformations: the identity operation /, which leaves the qubit unchanged and 
encodes the logical '0', or iY = ZX operation, which flips any of the qubits prepared 
by Bob and encodes the logical '1'. After the encoding step Alice sends the qubit back 
to Bob who measures it in the same basis he prepared it; in case of an EM run this 
feature allows Bob to deterministically infer Alice's operation, without any need of a basis 
reconciliation procedure, typical of a non- deterministic setup like BB84 |46j . Notice that 
Bob's measurement does not depend on the modality chosen by Alice (EM or CM): Bob 
will perform in any case his measurement, with a nonzero probability to detect a vacuum 
pulse due either to the natural losses of the channel or to a CM run by Alice or to a specific 
attack by Eve. After the quantum communication, Alice will tell on the classical channel 
which runs were CM and which were EM. We also point out that the direct test of at 
least one of the two channels is a necessary procedure for any two-way quantum protocol. 
In fact there exist attacks, like Trojan-horse [J7J, Quantum Man-in-the- Middle [48J and 



Double-CNOT [351 HB], described in next Section III C which can not be detected by Alice 
and Bob using only the EM runs. 
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Even if the b not revealed for the EM runs, they are revealed for comparing 

the data acquired during the CM runs. This, in complete analogy with the BB84, will 
provide the users with an estimate of the noise present on the forward channel in terms of 
the QBER (Quantum Bit Error Rate) q%, defined as the ratio of the number of wrong bits 
over the number of total bits coming from CM runs. Beside qi, the users can also estimate 
a second QBER Qab which comes from a fraction of the EM runs, in which Alice reveals 
on the public channel her encoding. 

While q\ is used to give an upper bound on Eve's information, Qab is used to provide 
an estimate of Alice and Bob mutual information, Iab-, with Iab = H(A) — H{A\B) and 
H the usual Shannon entropy |49j . In case A is a random binary variable we have: 

Iab(Qab) = 1-H{Q AB ). (1) 

Note that there is no definite relation between the two QBERs q\ and Qab- A precise 
relation can only be found by assuming a particular strategy by Eve, as done in |3T] or by 
adopting a particular noise model, as we shall do in the following. 

Eve's information is given in terms of mutual information between Eve and Alice, Iae-i 
or Eve and Bob, Ibe- Then the Csiszar-Korner (CK) theorem |5U| is used to decide 
whether the QKD session is secure or not: Alice and Bob can establish a secret key 
(using Forward Error Correction and Privacy Amplification) if and only if Iab > Iae ° r 
Iab > Ibe- Depending on the use of the Iae or Ibe in the CK theorem, it is possible 
to define respectively the secrecy capacity of the Direct Reconciliation (DR), C^ R , and of 
the Reverse Reconciliation (RR), C RR , as follows: 

C? R (QAB,qi) = Iab(Qab)-Iae(Qi), ( 2 ) 

C RR (Q A B,qi) = lAB(QAB)-lBE(qi), (3) 

where Iae, Ibe are the upper bounds to Eve's mutual information with Alice and Bob 



respectively, which as said are functions of q\ only. Notice that according to the CK theo- 
rem is sufficient that only one of the secrecy capacities is greater than zero to have a secure 
communication. In order to accomplish a DR, the users must execute the Forward Error 
Correction in the direction that goes from Alice to Bob; in other terms it will be Alice to 
transmit to Bob the parity bits to correct the errors, and it will be Bob to correct the errors 
in his string to match Alice's string. For the RR the roles of the users are the opposite. 
We remark that to have a tentatively deterministic Direct Communication [21J, it must 
be Alice to lead the reconciliation procedure, because only her knows the random choice 
between CM and EM. This means that the security of a deterministic communication 
closely depends on the mutual information Iae and on the DR procedure. 

The LM05 protocol has already been tested in free-space at the wavelength of 800nm 
using the photon polarization as a quantum carrier of the information |33|, 151] . However 
this choice is not ideal in optical fibers because birefringence makes the polarization change 
randomly. The optimal implementation is to use an encoding based on the relative phase 
between two pulses separated in time. In this way the channel noise seen by the two pulses 
is the same, and their relative phase remains stable. The only left noise is the one coming 
from a misalignment between Alice's and Bob's apparatuses. To eliminate this source of 
noise one can adopt the mechanism of passive compensation, invented in and employed 
for QKD in the Plug-and-Play system |53H56| . This technique fits very natural with the 
EM of LM05, thus letting the implementation reported in |34j . 

In the next sections we consider the most relevant individual attacks against LM05. 
Following the approach given in [57] we group the attacks into two main categories: zero- 



loss and zero-QBER attacks. The former, analyzed in Section III do not introduce any 



loss in the channel but introduce noise; the latter, treated in Section IV, introduce losses, 



but no noise. This description allows to a certain extent a fair comparison between one-way 
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and two-way deterministic QKD. 

III. ZERO-LOSS EAVESDROPPING 
A. Intercept and resend attack - IR 

The simplest attack in which Eve acquires information from the communication chan- 
nel, thus unavoidably introducing noise in the same channel, is the Intercept and Resend 
(IR) , which follows for the LM05 protocol the same steps as for the BB84 protocol [TJ EZ] ■ 

In the IR against LM05 Eve measures the photon coming out from Bob along one 
basis chosen at random between the two bases used by Bob, i.e. Z and X [5S]. Then she 
takes note of the outcome and forwards to Alice the qubit projected by her measurement 
in a certain state Alice, in EM, will flip or not-flip this state, and sends it back to 
Bob. Eve measures on the backward path the state emerging from Alice box, using the 
same basis previously used in the forward path, thus learning the information; finally she 
forwards the qubit to Bob. 

This attack can be detected through the QBER q\ while running the CM. It is easy 
to see that when Eve perchance measures in the same basis of Alice and Bob, she creates 
no error in the forward channel; on the contrary, for different basis, she creates an error 
with probability 1/2. In both cases she acquires full information about Alice's encoding, 
causing an average value of q\ equal to 1/4. 

While IR provides Eve with full knowledge about Alice's encoding it does not provide 
her with full knowledge about the result of Bob's measurement. In fact the first measure- 
ment by Eve destroys the initial state prepared by Bob; furthermore the basis used by 
Bob is never revealed in LM05. This entails that Eve can foresees Bob's result only three 
times over four, that is when she perchance measures along the same basis as Bob and 
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when she measures along the wrong basis but accidentally guesses the correct final result. 
This argument, together with the previous one, implies the following relations for the IR: 

qi = 0.25, 
Qae = =>• Iae = 1 5 

Qbe = 0.25 Ibe = 1 - H{Q BE ) ~ 0.19. (4) 

In the above equations Qae and (5b_b are defined in a way similar to Qab- For example 
Qae; can be thought as the QBER that Alice and Eve would find if they compare their 
classical strings which are composed, respectively, by all the encodings transmitted to Bob 
and by all the data acquired by Eve by means of the IR. Recall that the above equations 
are connected with the direct (DR) and reverse (RR) reconciliation of the LM05 and 
provide the direct and reverse secrecy capacity of the protocol. The situation described by 
Eq.Q can be compared with that of BB84, where for q\ = 0.25 the information acquired 
by Eve is Iae = Ibe = 1/2 [3]. 

Of course Eve can decide to effect or not to effect IR in a certain run. In other terms 
she can effect IR only on a fraction £ 6 [0, 1] of the runs. This modifies Eqs.Q into the 
new ones: 

Ql = 0.25 £, 
Iae = £, 

Ibe 0.19 £. (5) 

As said above, the mutual information between Alice and Bob is a simple function of 
the QBER Qab, which is measured by the users by sacrificing a part of the data collected 
during the EM. It is straightforward to realize that for IR the two QBERs of the LM05 
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are equal: 

Qab = qi- (6) 

Eq.Q defines a first relation between the two QBERs measured in the LM05 protocol. 
Although this relation is not general, it deserves attention for it describes quite accurately 
the noise model pertaining to an experimental fiber-based setup like the one in Ref. |34j . 
where the phase-drift noise arising in the optical fiber can be compensated both at the end 
of the forward channel and at the end of the backward channel through the passive Plug- 
and-Play auto-compensation technique [53-56]. Hence, we will use again the noise model 
of Eq.Q to settle a homogeneous comparison between the various attacks put forward 
by Eve against the LM05 protocol. Of course, other models of noise are possible (see e.g. 
Ref. [33]). 

In Fig.[| we summarize what obtained thus far with the curves pertaining to the mutual 
information between Alice, Bob and Eve in LM05. In the same figure we also plot the 
curve pertaining to the analogous IR attack against BB84 (Section VI. D of [3]), for which 
Iae = I be- It can be seen that the curve Iae in LM05 is always above the curve of BB84, 
while the curve I be is always below it. This, according to the CK theorem, Eq.Q, implies 
that the reverse (direct) secrecy capacity of LM05 is always higher (lower) than that of 
BB84 for the IR attack. The security thresholds obtained from the CK theorem against 
the IR attack for LM05 in DR and RR and for BB84, in the noise model of Eq.Q, are 
given by the intersection points of the plotted curves, and are explicitly written below: 

LM05 DR : secure against IR if qi < 11.9% 
LM05 RR : secure against IR if qi < 25.0% 
BB84 : secure against IR if qi < 17.1% 

Note that the BB84 security threshold of 17.1% is higher than the one pertaining to the 
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FIG. 2: Mutual information versus qi in LM05 and BB84 in case of IR attack by Eve. Iab- solid 
line; I^J 05 : dot-dashed line; I^ 105 : dotted line; /|| 84 = iff 84 : dashed line. The security 
thresholds are reported at the top of the frame. 

optimal individual eavesdropping |59j which amounts to 14.6%. In fact the simple-minded 
IR attack just described is not optimal either for BB84 or for LM05. However they have 
been used in [57] and later in [3j| to provide direct measurable quantities easily applicable 
in the experimental situation. 



B. Non-orthogonal attack - NORT 

The IR analyzed above can give Eve an information linearly varying with the QBER 
qi, as synthesized by Eqs. ([5]) and Fig. [2j It is possible for Eve to increase her information 
as a function of q\ by performing non-orthogonal measurements [3] on both the forward 
and the backward paths. This strategy has been initially described in [31] by considering 
the mutual information as function of the "detection probability". Now we use the same 
approach but in terms of QBER. 
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Given the four states prepared by Bob, and Eve's ancillary states |e), we can write the 
most general operation Eve can do on traveling qubit at point E\ of Fig{T]as: 



|0> |e) -> |0) \e m ) + |1) koi) = VF |0> |eoo) + VD |1) |e i) , 



|1) |e) -> |0) |e 10 ) + |1) kn) = VD |0> |ei > + VF\1) \e n ) , 
|+) \e) -> ±= [|0) (|eoo) + kio)) + |1> (koi) + kn»] 
= |+)|e++) + |-)|e + _), 

I-) | £ ) -L [| > (| £oo ) - | E10 » + |i) (| £ol ) - | eu »] 

= |+) |e_+> + |-) |e__> , (7) 

where the states |e^) belong to the four-dimensional Hilbert space of Eve's probe. Ancil- 
lary states with tilde are intended to be normalized. The following conditions make the 
transformations Q unitary: 

(eookoo) + (eoi|eoi) = i ? + ^ = l, (8) 
(eiokio) + (enM = D + F = 1, (9) 
(eoo|eio) + (eoi|eu)=0. (10) 



Within condition (10) we can set (eoo|eio) = (eoi|eil) = if we assume that the attack 
brought about by Eve is symmetric j3j. A symmetric attack is obtained when the distur- 
bance introduced by Eve results to be the same in the two bases measured by the users. 
Alice and Bob can test the occurrence of a symmetric attack by measuring the noise levels 
in the two bases separately and verifying that they are equal. Intuitively, a symmetric 
attack corresponds to the symmetric structure of the states prepared by the transmitter, 
both in the LM05 and in the BB84 protocol. In fact, for the BB84, it has been shown to 
be optimal (see Section VI. E of [3]). Our results are then limited to this class of individual 
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symmetric attacks. We specify the angles between non-orthogonal vectors as: 

(eoo|eii) = cosx , (ebi|eio) = cosy, (11) 

with < x, y < 7r/2. In this sense the present strategy represents a non-orthogonal 
attack. Here, we do not fix values of the parameters we introduced. 

At point E2 of Fig{T]Eve performs an attack similar to that at point E%, but with fresh 
ancillae I??) (hence new parameters F' and D' are in order), to gain information about 
Alice's encoding: 

10)1^)^^10)15700) + v^|l)|»Jbi), 

|i) \ v )^V^\o) \mo) + \mi), 
\+)\v) -> \+)\v++) + \-)\v+-), 

\-)\v)^\+)\V-+) + \-)\V—)- (12) 

At the end of the transmission Eve will measure e and r/ ancillae and she will gain in- 
formation. Our next task is to recover the optimal eavesdropping strategy by Eve, i.e. 
determine parameters' values that maximize Alice- Eve and Bob- Eve mutual information 
(Iae, I be) minimizing the QBERs q\ and Qab- 

From transformations Q and conditions (8][Io") we can easily evaluate qi for each basis 



prepared by Bob: 

qi(Z) = (eoikoi) = (eiokio) = A (13) 

qi(X) = (e+_|e + _) = (e_ + |e_+) 

= [l-Fcosx-L>cosy]/2. (14) 

A good choice for Eve to minimize the QBER q\ is to align her measuring apparatus 
with Z and X at random. If she aligns along Z then qi(Z) = D = 0, otherwise it will be 
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qi (X) to be zero. On average, after setting D = (and so F = 1), we will have: 



<fi° = 1 ;° SX , (15) 



and Eqs.Q become: 



|0) |e) -> |0) |eoo> , 
|l)|e>-Hl>|eii>, 
|+)| e )-^i(|0)|eoo) + |l)kii», 

|->|e)-^i(|0)|eoo)-|l)|eii». (16) 

From the above equations it is clear that the only relevant parameter is x: if it is zero 
then Eve's ancillae are parallel and do not provide any information to her, nor do they 
cause any error on the channel since any evolved state remains equal to the initial one. On 
the contrary, if x = ir/2 Eve's ancillae are maximally informative to Eve, but maximum 



is also the noise created on the channel, according to Eq.(15). Similar arguments hold for 
the backward path, after ^-attack, with primed parameters replacing not-primed ones. 
In order to evaluate the mutual information Iae let us write Bob's initial states as: 



i*) = y, c «i">' ( 17 ) 



a=0,l 

where we made the following ansatzes correspondingly to the initial states: 

|0) ->• c a = Safi, 

|1) -> C a = C>a,l, 
, . 1 



~ 1)a w (18) 



Then we can rewrite transformations Q as 



|*)|e)= c a |a)|e) ^^c a ^|e a/3 )|/3), (19) 

a=0,l a /3 
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and transformations (12) as 



I*) \V) = Yl Ca I") ^ ~> E Ca E l^) 



(20) 



Q = 0,1 



Now suppose that Alice performs the identity I between the two Eve's attacks. The 
following sequence describes the state transformations: 

a 

^^2c a ^2\p)\£ aP )\ri) 



a j3 



^ E Cq E I 7 } \ £a ^ IW • 

a /3,7 



The ancillary states involved in this operation are: 



(21) 



koO) Voo) , koo> Voi) > l £ oi, »7io) > koi, ?7ii) , 



kio,%o) , kio,%i) > kii> W , |en,f?n) • 



(22) 



If, instead of the identity /, Alice performs the iY operation we have: 
\*)\e)\v) ^E C «E WMW 

a /3 

^E^E^ 1 )^ 1 !/ 3 ® 1 )!^)!^) 

a /3 

^ E Ca E It) l £ "/3) 1^/391)7) ' 

and the involved ancillary states are: 



(23) 



kooj Via) > l £ oo ; Vn) ) l £ oi, %o) 5 1 £01, »7oi) , 



kio,??io) , kio,mi) , kn^oo) , kn,%i) 



(24) 



In order to acquire information from states (21) and (23 ) Eve must measure both her 



ancillae. Keeping in mind orthogonality relations (10) and following, we see that the best 



way to do that is to distinguish orthogonal subspaces before, and then non-orthogonal 
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states. The probability to make an error in distinguishing between two states with scalar 



product cos x is (1 — sin x) /2 |60j . Observing states ( 21 ) and ( 23 ) we can notice that if Eve 
mistakes to identify her first ancilla (e states) then she guesses the wrong Alice's operation, 



since she flips from states (21) and (23) or viceversa. The same is true if she guesses right 



e state but mistakes r] state. Nevertheless, if she mistakes twice, then with the first error 



she misinterprets (21) and (23) and with the second error she compensates the first one, 



eventually guessing right Alice's operation. This leads to estimate the probability Eve 
wrongly guesses Alice's operation, i.e. the QBER Qae between Alice and Eve, and from 
it, considering F = F' = 1, we find the following expression for Iae'- 



Iae 



1 - H 



l + sinx\ /l + sinx'\ /l — sinx\ /l — sins' 

+ 



(25) 



Then, to upper bound Eve's information without affecting q\, we can simply use orthogonal 
ancillae on the backward path, that means to set x' = tt/2. In this case we obtain: 



I AE = 1 - H 



1 — sin x 



(26) 



The last question concerns the mutual information between Bob and Eve. This is 
limited by the fact that Bob does not reveal any basis in LM05. So if Eve guesses the 
right basis in transformations ([7]) (probability equal to 1/2) then she has a probability 
of error equal to her capability to discriminate her ancillae, given then by (1 — sinx)/2. 
Otherwise, with probability 1/2, she guesses the wrong basis and she has a probability of 
1/2 to be wrong with the qubit also. In the whole: 



Qbe 



2 — sin x 



(27) 



The security of the protocol now depends on the relation between Qab and qi- For 
the purpose of comparison we assume here the same model as per Eq.Q, obtained for IR 
attacks: Qab = Qi- This is reasonable as the present strategy is a generalization of IR to 
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nonorthogonal Eve's ancillae. With such an assumption it is possible to draw the curves 
in Fig. U 
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FIG. 3: Mutual information vs qi in NORT attack. The curves are: Iae° 5 (dot-dashed line), 
I be 05 (dotted line), iff 84 = I be 84 (dashed line). The security thresholds are reported at the top 
of the frame. 



The increased information acquired by Eve using NORT rather than IR is apparent. 
The security threshold for BB84 is now 14.6%, equal to the one obtained in |59j for the 
optimal single-particle eavesdropping. On the contrary, the thresholds for LM05 are 10.0% 
and 25.0% for DR and RR respectively. Hence LM05 used in RR is more tolerant to noise 
than BB84, provided that Eve's action is limited to a NORT attack. 



C. Double CNOT attack - DCNOT 

So far we have analyzed attacks in which Eve measures the qubit coming out from 
Bob's station. As we have seen this kind of attack can provide Eve with a high mutual 
information with Alice. However the mutual information between Eve and Bob is poor, as 
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illustrated by the Figures [2] and [3} The reason is that Eve's initial measurement modifies 
the state prepared by Bob, and prevents her from knowing the outcome of Bob's final 
measurement. It is then natural to ask whether is possible for Eve to perform her attack 
without altering Bob's state, thus maximizing her mutual information with Bob. This 
attack exists and has been introduced for the first time in |48j . It is composed by a 
sequence of two CNOT gates from Eve, one for each path of the LM05; hence we call it 
Double CNOT attack, in short "DCNOT". We will show that DCNOT can make I BE , 
distilled in the RR modality, equal to its maximum and to Iae, thus reducing the LM05 
security to the security obtained in the DR modality. 

Let us study the evolution of the states prepared by Bob under the action of the first 
CNOT gate by Eve. Eve appends an ancilla in the state |0) to the initial states prepared 
by Bob; then she performs a first CNOT gate before Alice's station using the traveling 
qubit as control and her ancilla as target. The states become: 

|o>|o) e -Ho>|o> e , 

|l)|0) e ->|l)|l) e , 

|0)|0) e + |l)|l) e 



l+)|0} £ 



V2 



i-)io) e -M^m. (28) 

We can notice that when Bob prepares states in the basis X the CNOT gate creates an 
entangled state with the traveling qubit and Eve's ancilla. After that Eve forwards the 
control qubit to Alice, who performs her encoding A% (Aq = I and A\ = iY) on it and 
then sends it back to Bob. Eve, on the backward path, executes a second CNOT gate on 
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the whole system. We report Alice's and Eve's actions as: 

|o>) |0) e [a |o>) |i> e> 

(4|i))|i) c ->(4|i>) |i) c , 
(i,|o))|o) c + fi i |i) N )|i 



g i iti/ii/e 

-a i i i i ; 

e ' 



V2 



(4|+>)|<> 

(A|0))|0) e -(A|i))|i)^_ (ig| _ ))K)e- 



(29) 



V2 

From these equations we can recognize that the entanglement created by Eve in the first 
CNOT gate disappears with the second CNOT. Furthermore, Eve's ancillae take exactly 
the information encoded by Alice; hence it is sufficient for Eve to measure them in the 
basis Z to find out Alice's encoding: |0) e indicates that Alice performed the identity, while 
|l) e indicates the spin-flip operation. Finally, after the second CNOT the state arriving 
to Bob is just the right state he expected to receive! This entails two consequences: 

i) in the DCNOT Qab = 0. If Alice and Bob use only Qab as a security parameter, 
they will never detect this kind of attack by Eve. However, for the same reason, the mutual 
information between Alice and Bob, which is a function of Qab, is always equal to 1. 

ii) Eve acquires full information about both Alice (Iae) an d Bob {I be)- In fact she 
knows perfectly the encoded transformation and the result that is going to be obtained 
by Bob. 

The DCNOT attack can be detected in CM. If the qubit is prepared in the basis Z Eve 
does not perturb the state at all while if it was prepared in the basis X the QBER qi is 
equal to 1/2. Hence the overall QBERs and information situation for this attack is: 

qi = 0.25, (30) 
Qab = Iab = 1, (31) 
Iae = Ibe = 1- (32) 
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These equations are quite similar to Eqs. §5§ obtained for the IR attack, with the important 
difference that Qab is now zero and, by consequence, Iab is always equal to 1, as per 
Eq.(32). Hence, by making use of the CK theorem, Eq.Q, we can conclude that the LM05 



provides a secure rate against DCNOT over the whole interval of q\. 

Likewise IR, if Eve performs the DCNOT in a partial way, her information will be a 
linear function of the QBER q\ ; then the corresponding curve would be exactly the same 
as the one depicting /jf^f 05 in Fig. [2J We report such a curve in Fig. [4j 

An important modification to the DCNOT is the following. Eve executes a random 
flip/no-flip unitary operation, analogous to the one effected by Alice, after the second 
CNOT, on the backward path. In this way Eve increases Qab, from its minimum value 
to any desired value x an d decreases the mutual information between Alice and Bob from 
its maximum value 1 to any other value imposed by her. Furthermore, with this kind of 
modified DCNOT attack, which we term DCNOT*, Eve still maintains the control about 
Bob's final measurement outcome, as in the non-modified DCNOT. The situation for the 
DCNOT* attack is then summarized by the following equations: 

qi = 0.25£, 
Qab = X^Iab = l-H( x ), 

Iae = Ibe = £, (33) 

with x £ [Oj 0-5] a parameter controlled by Eve and £ the fraction of attacked qubits, 
as already defined for IR attacks. We can again assume the noise model of Eq.([6]) to 
compare this new attack with the previous ones, i.e. Qab = Qi- The corresponding curves 
are plotted in Fig. [4} 

The LM05 protocol results secure, both in DR and in RR, if q\ < 11.9%. Hence, by 
comparing with Figs. [2] and [3j it is seen that this attack is less dangerous than NORT as 
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FIG. 4: Mutual information Iab (solid line) and Iae° 5 = ^be° 5 (dot-dashed line) versus q\ in 
the DCNOT attack against LM05. The security threshold is reported at the top of the frame. 

far as Iae is concerned, but is far more dangerous for what concerns the security threshold 
pertaining to Ibe, which decreases from 25.0% to 11.9%. 



D. Generic individual attack 

In this section we provide an upper bound to Eve's information in case of single- 
particle attack. We adapt to LM05 an argument recently introduced in [25], which in 
turn is based on the main argument of [5] limited to the case of an individual attack. 
We remark that such a proof holds when LM05 is used for QKD, not for a deterministic 
Direct Communication |21j . We also stress that the proof given in |25j and repeated here 
for LM05 does not represent a security proof against the most general attack by Eve, 
i.e. a coherent attack of a two-way deterministic protocol. In fact, the argument does 
not include any multi-particle distillation of quantum states performed by the users, nor 
multi-particle attacks by Eve |61j . 
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As a first step of the generic individual attack by Eve suppose that the users are 
provided by Eve with a state which is claimed to be a perfect singlet: 



|VW = (|0)J1) B -|1>J0) B )/V2, (34) 
where the states |0) and |1) are the eigenstates of the basis Z, the computational basis. 



If the state (34) were a truly singlet, the users would perform LM05 as follows. Bob 
measures his particle in one of the two bases Z or X chosen at random, thus preparing 
Alice's particle's state in a state orthogonal to his state. In EM, Alice performs on her 
particle the desired operation I or iY, exactly as she would do in the standard prepare- 
and-measure LM05. All the same, in CM, Alice measures her particle in a basis randomly 
chosen between Z or X. This reduces the entanglement-based LM05 to a prepare- and- 
measure protocol. Once the security is shown for the former it is automatically true for 
the latter. 

The next task is for the users to verify that they actually have been given by Eve 
the claimed state. In practice they must verify that the fidelity F{\iPab) > Pab) between 
the claimed state and the state pab in their hands is very close to 1. Hence consider a 
tripartite state \&)abe which is a purification of pab and which is in Eve's hands: 

PAB = tr E {\$) ABE (§\) (35) 
PE = tr AB (\$) ABE ($\). (36) 

Then S(pab) = S (pe), where S is the Von Neumann entropy @9], because l^)^^ is pure 
and then pab and pe have the same spectrum. Hence Alice and Bob can calculate Eve's 
maximum information from the relation S(pab) = S (pe) provided they can estimate 
S(pab)- To this aim the users perform the CM. In particular they measure the QBER q± 
which is equal to the infidelity S of Ref. [5] , which is defined by the relation 

F(\iPab),Pab) 2 > 1-5. (37) 
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As a result, if q± is not too large, the state pab is acknowledged to be very similar to 
IV'Ab) by the users. In particular, since they verify that F (\iPab) ,PAb) 2 > 1 — then 
from the Lemma "High fidelity implies low entropy" of Ref. [5] one has: 

S(pab) = S ( PE ) < - (1 - qi ) log 2 (1 - q x ) - qi log 2 (|) . (38) 

This represents an upper bound to Eve's absolute information at the end of the forward 
path, in full analogy with what happens in the BB84 protocol. What we need now is a 
connection with the backward path. Between the two paths, Alice encodes information 
on her particle. So let us make a step back and focus on the mutual information between 
Alice and Eve, Iae- 

It is known that the Holevo information is un upper bound to the mutual informa- 
tion 

Iae < x(pae), (39) 

with pae = trs (\$)abe (^1) ano - x(p) = S{p) ~ ^2k^(Pk)- Furthermore the following 
relations trivially hold: 

x(pae) < S(pae) < S( PE ), (40) 

with pe = trA {pae)- The last equation is an intuitive corollary to the Holevo theorem 
cited as "Lemma 2" in Ref. [5]. So, it turns out that the upper bound S(pe) available to 
Alice and Bob is an upper bound both to the mutual information Iae and to the Holevo 
quantity x(pae)- As stated in Ref. [23] the Holevo quantity does not increase under 
quantum operations. In particular Alice's encoding operations cannot increase x(pae)- 
By consequence one has: 

X(PAE) after < x(PAE) bef ° re < S(p E ) (41) 
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FIG. 5: General attack security for LM05 in DR. The security threshold amounts to qi — 8.8%. 
For qi > 18.9% Eve gets full information about Alice's encoding. 

where the labels "before" and "after" refer to Alice's encoding. So S(pe) represents a 
bound to Eve's information even after Alice's encoding. 

To conclude the proof it suffices to note that even if Eve can increase S(pe) on the 
backward path, e.g. by attaching new ancillae to the traveling states, the increase in 
information does not concern Alice's encoding. So it would be the same for Eve if she 
increases her information since the beginning on the forward path; but in that case the 



users already have the bound of Eq.(41). 



Now it is possible to use the CK theorem, Eq.Q, and the noise model of Eq.Q to 
make a guess about how tight the given bound is. In this model the mutual information 



Iab is given by 1 — H(q\) while from Eq.(38) we get un upper bound to Eve's average 
information. The curves pertaining to the mutual information are plotted in Fig. [5} They 
are compatible with the previous results since the found threshold, q\ < 8.8%, is lower than 
all previous single-particle attacks, both in DR and in RR. Note however that the given 
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bound is meaningful only for LM05 in DR since it is based on the Holevo information bound 



Eq.(41 ) which makes explicit reference to Alice's encoding and none to Bob's measurement. 
However although the security threshold pertaining to RR could be higher than that for 
DR, it cannot be too much different because we provided an explicit attack, the DCNOT*, 
which gives a security threshold of 11.9% for LM05 in RR, only 35% higher than the above 
threshold. Moreover, limiting the analysis to DR, it turns out that the security bound 
just given is quite tight. In fact, with the NORT attack we found a security threshold of 
10.0%, which is only 13.6% higher than the given bound. 

Finally let us note that the above bound holds trivially for BB84 as well, where Alice 
does not encode information on the received state. In this case however the bound is not 
tight as 8.8% is far smaller than the 14.6% pertaining to the optimal individual attack 
against BB84 [59] . 

Before moving to the next Section and study the zero-QBER attacks, we summarize 
the results found for the zero-loss individual eavesdropping in Table [IJ 



Eve's strategy 


LM05-DR (%) 


LM05-RR (%) 


BB84 (%) 


IR 


11.9 


25.0 


17.1 


NORT 


10.0 


25.0 


14.6 


DCNOT* 


11.9 


11.9 


X 


Generic 


8.8 


X 


8.8 



TABLE I: security thresholds for single-particle attacks against LM05 in DR, LM05 in RR and 
BB84. 



IV. ZERO-QBER EAVESDROPPING 

We now consider attacks that introduce losses, but no noise. If Alice uses a perfect 
single-photon source the single photon can only be detected either by Eve or by Bob. 
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However in practice Alice uses an approximated single-photon source i.e. an attenuated 
laser beam. For this source the number of photon per pulse follows a Poisson statistics. It 
is then possible that a single pulse contains more than one photon in the same quantum 
state, and that both Eve and Bob detect the same qubit. In this case Eve steals one bit of 
information without introducing any noise in Bob's measurement; however she introduces 
losses. Alice and Bob, from the knowledge of the loss rate, should be able to infer how 
much information has been stolen and remove it by means of Privacy Amplification [62] [53] . 
It is worth noting that in the hypothesis of zero-QBER attacks the mutual information 
between Alice and Bob is always maximum and no Error Correction is needed to reconcile 
users' keys. Another obvious consequence of this assumption is that Eve does not acquire 
any further information from the Error Correction procedure. So her knowledge will derive 
entirely from her attack to the quantum channel. 

A. Beam splitting attack - BS 

In the Beam Splitting attack (BS) Eve uses a beam-splitter of transmissivity T = 1 — R 
to deviate a fraction R of the main beam towards her detectors, which are supposed to be 
ideal (100% quantum efficiency, no dark counts). The approach for BS is very similar to 
the one adopted for the IR attack: we first evaluate the probability of success for an Eve 
eavesdropping one bit of information; then we relate the photon emitted by the source to 
the eavesdropped bits via the Binomial distribution. 

Let us first analyze the BB84 |57| . Define [i as the average number of photons contained 
in each pulse prepared by Alice. With her beam-splitter Eve splits a fraction R[i from the 
main beam towards her (ideal) detectors, so that the probability to successfully detect a 
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photon is given by: 

P = 1 - e- R » PS (42) 

The above approximation holds when fi <C 1. Usually in the experiments on BB84 /i = 0.1. 
It is reasonable to assume that R ~ 1 because usually the attenuation rate measured 
by Alice and Bob is very close to the unity at wavelength of 1550 nm. Hence Eve's 
probability to successfully detect a photon is about \i. We also conservatively assume that 
Eve possesses a perfect quantum memory to store the bits until the moment in which 
the basis is revealed by Alice and Bob, so that every stored photon is detected by Eve in 
the right basis. This means that fi represents the average information collected by Eve 
against BB84 through the BS attack in the asymptotic limit of a large number N of pulses 
traveling on the channel: 

/1 B84 = /x. (43) 

This expression can be used to provide a secure gain similar to that obtained for IR attack. 
Specifically the secure gain G BBU is: 

qBBSA = qBB&A x (1 _ jBBM) > {U) 

where: 

G*T = 1 " exp [-„ x Vd x T^ 84 (L)] , (45) 

T BB84 ^ = Tqc (^) x r B (total transmission), (46) 

Tqc (L) = io _0 02xL (transmission of the quantum channel), (47) 

with parameters rja = 0.12 (efficiency of Bob's detectors), Fb = 0.4 (transmission of Bob's 
box), and ji is optimized for every distance L in order to give the maximum secure gain. 
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In analogy with BB84 one can calculate the amount of Privacy Amplification [62\ 163] 
necessary to cope with BS in LM05. Being LM05 a two-way protocol the BS must be 
accomplished using two beam-splitters rather than one, positioned in the two paths of the 
communication channel. In this way it may happen that Eve measures two photons, one 
from the forward path and one from the backward one; then, by comparing her outcomes, 
Eve can ascertain the encoded information. Let Ri and R2 be the reflectivity of the two 
beam-splitters. After the first beam-splitter Eve has a probability of successful detection 

Pi = 1 - e" Rl/ \ (48) 

The fraction of the beam transmitted through the first beam-splitter is Ti/x = (1 — R\)fi. 
Then the fraction of the beam deviated by the second beam-splitter is i?2(l — Ri)fJ>, an d 
Eve's probability to detect a photon in the second path is: 

P 2 = 1 - e -fl2(l-i?i)M ( 49 ) 
A successful eavesdropping is given by two successful detection events in the same run: 
Pbs 12 = Pi ■ P2 = (1 - e~ R ^) (l - e'Mi-Ri)^ . ( 50 ) 

From this expression it is straightforward to check that the value of R\ = 1/2 maximizes 
PBS12 f° r an y A 4 - An intuitive way to understand this is to take R2 — 1, to let Eve read 
as much information as possible from the backward path, and to realize that in this case 
Eve's best choice is to analyze half of the beam from the forward path and half from the 



backward one, i.e. to set R\ = 1/2. Inserting these values into Eq.(50) we have: 



Pbs 12 < (l - e"^ 2 ) 2 = P* = 1 - 2e~^ 2 + e"", (51) 



which represents the average information acquired by Eve through the BS attack against 
the LM05 protocol, both in DR and RR, in the asymptotic limit of an infinite number of 
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pulses traveling on the two-way quantum channel |34j : 

/LM05 = p* ^ 

This expression can be used to provide a secure gain similar to that previously obtained 
for BB84. Specifically the secure gain G LM05 is: 

G LM0S = G^ 05 x (1 - I L / m ) , (53) 

where: 

G r L r 5 = 1 - exp [-p x Vd x T LM ^ (£)] , (54) 

r LM05 _ (L) x T B x (total transmission), (55) 

Tqc (L) = iq~°- 02xL (transmission of the quantum channel), (56) 

with parameters rjd = 0.12 (efficiency of Bob's detectors), Tb = 0.4 (transmission of Bob's 
box), = 0.45 (transmission of Alice's box) and \i is optimized for every distance L. 
Note that the crucial equation is that defining r LM05 (L) which, with respect to BB84, 
contains the square of Tqc (L), because the channel is two-way, and the term Y 2 A , which 
represents the double-transmission of Alice's setup because the photon passes twice in it 



before going back to Bob. The values of the parameters reported after Eq.(56) are similar 
to those experimentally measured in Ref. [34j . 

In Figure |we plot log 10 G BB84 and log 10 G LM05 . It can be noted that the secure rate 
pertaining to LM05 is far smaller than that pertaining to BB84. This crucially depends 
on the higher loss-rate of the two-way channel of LM05. 

However in the next Section we show that the difference between the two protocols in 
the frame of zero-QBER attacks can be dramatically reduced when the Photon-Number 
Splitting (PNS) attack by Eve is considered. This is due to the higher resistance offered 
by LM05 against this kind of attacks. 
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FIG. 6: Plot of the secure gain of BB84 (G BB84 , Eq.fil), dashed line) and LM05 (G LM05 , Eq.lpl) 



solid line) versus the length of the communication channel, in case of BS attack by Eve. The BB84 
is superior to LM05 for all the distances. This is due to the double loss-rate of the two-way LM05 
protocol. 

B. Photon-number splitting attack - PNS 



In the following we describe the Photon-Number Splitting (PNS) attack [l~5l 
against the present version of the LM05 protocol. This attack has been previously de- 
scribed in [51] for the original LM05 protocol. The removal of the test on the backward 
channel does not present any major subtleties: it is simply replaced by the test of the 
QBER Qab, which obliges Eve to perform an attack on at least three photons (see the 
following explanation) to not introduce any disturbance on the channel. 



As mentioned in the previous Section IV A , when the photon source is a laser attenuated 
with an average photon number per pulse fx, the probability to have n photons in a single 
pulse is given by a Poisson distribution: 



IV. 



(57) 
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This means that with a probability P n (//) Bob prepares the state \ip)® n rather than the 
desired state \tp) (tp indicates one of the four states prepared by Bob in BB84 and LM05). 
This accidental redundancy can be exploited by Eve to perform a perfect zero-QBER 
attack. 

It is known |68j that when n = 3 it exists a measurement Ai that provides a conclusive 
result about the absolute polarization tp with (optimal) probability 1/2. Eve can exploit 
this fact to eavesdrop on LM05 protocol in the following way. She performs a quantum 
nondemolition measurement (QND) on the pulses as soon as they exit Bob's station; 
this can be done without perturbing the state tft: when she finds n < 3 she blocks the 
pulses; on the pulses with at least three photons she executes A4 and if the outcome is not 
conclusive she blocks these pulses as well; when n > 3 and the outcome of M is conclusive 
she prepares a new photon in the right state tp and forwards it to Alice. Until here this 
attack is completely analogous to the 'IRUD-attack' described in [68]. The only variant 
is that Eve measures again the photon on the backward path after Alice's encoding, to 
capture the information. Since Eve did know the state entering Alice's box she can extract 
the information without perturbing the state. After that she forwards the photon in the 
correct state to Bob. We call this first PNS attack PNS_a/(. 

A second attack is more peculiar to LM05. Suppose that n = 2 and call the two 
photons in the pulse p\ and p2- As before Eve can know the number of photons per pulse 
through a QND measure. When n < 2 Eve blocks the pulses. When n = 2 she stores 
pi and forwards p2 to Alice; this let her remain undetected during a possible CM on the 
forward path. On the way back Eve captures again p2- To gain Alice's information she 
must decide whether the polarizations of p\ and p2 are parallel or antiparallel: in the 
first case she would deduce the logical value '0'; in the second case she would deduce '1'. 
However, the discrimination between parallel and antiparallel spins is not as simple as it 
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appears at a first glimpse: while the parallel-spin-state \P) = \ip) pi \ip) P2 is symmetric, the 
antiparallel-spin-state \AP) = \ip) Pl |V ; " L )p2 * s neither symmetric nor antisymmetric. Upon 
symmetrizing \AP) we can realize that it is not orthogonal to \P), and by consequence it 
is not perfectly distinguishable from it (we remand to [69], [70] for a complete treatment 
of this problem). Actually an optimal measurement M' is a nonlocal one and gives Eve 
a conclusive result (between |P) and \AP)) with a probability 1/4 |69j. Hence Eve can 
block all the "inconclusive" pulses to gain full information and still remain undetected. 
However it remains open the question of which photon must Eve forward to Bob: upon 
obtaining this result, Eve does not know whether to give Bob the state \tp) or the state 
\ip }, because she ignores the absolute value of ip prepared by Bob. This shows that two 
photons are not sufficient for a perfect eavesdropping with JVl' . Yet the complete attack 
can be accomplished with an additional photon p^: Eve should store p^, execute M.', and 
eventually encode p^ according to the conclusive outcome of M'\ the photon prepared in 
this way can be forwarded to Bob without risk of detection. 

The above analysis establishes that a perfect eavesdropping can be realized with at 
least three photons in a pulse. It also establishes that the measurement Ai represents a 
more powerful resource for Eve than M' , for a number of reasons: it gives information 
on the complete state tp of the photons, not only on Alice's operation; the probability 
of conclusive results is 1/2 rather than 1/4; Eve knows about the conclusiveness of her 
measurement immediately, rather than after Alice's encoding, and can use this information 
to improve her strategy. For these reasons we only consider the robustness of LM05 against 
the PNS_A/( attack following [51J. 

In case of PNS attacks it was shown in [66] that a communication is secure until the 
signal sent by Alice arrives at Bob's with a probability higher than the probability to 
generate a multi-photon. In our present case the signal is the raw gain G raw , previously 
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introduced for BB84, Eq.(45), and LM05, Eq.(54), where we have neglected the contribu- 
tion of the dark counts. Hence, for BB84, the transmission is secure when the following 
condition is fulfilled: 

n BB84 _ r<BB84 r>BB84 ^ n ( K o\ 

with G^ 84 defined by Eq.d45|) and 



OO j 

« 4 = E e " At 7T = 1 - e " At ( 1 + ^) 



i=2 



the probability that Alice accidentally emits 2 or more photons in a single pulse. 
All the same, for the LM05 we have: 

n ZM05 _ n LM05 r,LM05 ^ n fcr^ 
U — t'raw - ^PNS > U > l by J 

with G^ 05 defined by Eq.d54|) and 



the probability that Alice emits a number of photons dangerous for LM05, as discussed 
above. 

Then we plot in Fig. [7] log 10 D BB84: and log 10 D LM05 and obtain a comparison of the 
security regions pertaining to BB84 and LM05. Differently from the BS attack, for the 
PNS attacks the BB84 is more performant than LM05 on longer distances, higher than 
2.55 Km with our parameters, but LM05 is more performant on shorter distances. Hence, 
while losses remain an important limiting factor for any two-way quantum communication, 
the higher protection from PNS attacks of the LM05 with respect to BB84 could enable 
an advantage in terms of the secure rate for small-range setups like the one in |71j . 
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FIG. 7: Plot of the security regions of BB84 (D BB84 , Eq.([58|), from the dashed line to the axis 
of abscissae) and LM05 (£) LM05 ; Eq. ( 59 1 , from the solid line to the axis of abscissae) versus the 



length of the communication channel, in case of PNS attack by Eve. The BB84 is superior to 
LM05 for longer distances, but LM05 is superior on shorter distances. This is due to the higher 
resistance of LM05 to PNS-like attacks. 

V. CONCLUSION 



In the present work we have described and characterized a practical version of the two- 
way QKD protocol LM05 by considering the most relevant single-particle eavesdropping 
strategies against it. 

The security of the scheme is guaranteed by two QBERs, qi and Qab, which are not 
trivially related one to each other. By assuming a noise model where q\ = Qab it turns 
out that the most powerful attack against LM05 in direct reconciliation is the NORT, 
which provides an upper bound to secure QKD equal to q\ = Qab = 10.0%, while the 
most powerful attack in reverse reconciliation is the DCNOT*, which provides a threshold 
of qi = Qab = H-9%. The adopted noise model is based on the experimental evidence 
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that one-way and two-way channels can be controlled with the same level of precision. 
However other noise models can be considered as well, for instance one in which q\ = 15% 
and Qab = 0. In this case, if Eve performs individual attacks only, it is not possible 
to distill a secure key with the BB84 protocol, while it is possible with the LM05. This 
in our opinion underlines the intrinsic difference between the two ways of performing 
QKD and encourages further research in this area. Moreover it is worth recalling that in 
the present version of LM05 we did not include a QBER test on the backward path of 
the communication channel; such an option, though not very practical, can improve the 
obtained secrecy capacities. 

In the limited scenario of single-particle attacks, we have compared the two-way LM05 
protocol with the standard BB84, which uses a one-way quantum channel. We have found 
that the main limitation of two-way QKD is the high loss-rate, even if it is partially 
counter-balanced by the higher resistance to PNS-like attacks. This entails that the field 
of application of two-way QKD shall be limited to short communication channels, like 
those typical of a QKD network, where the optimal average distance is about 17 Km [72J. 
Even so a conclusive answer about the two modes of performing QKD can come only 
from a quantitative unconditional security proof for two-way QKD, which is still lacking 
at present. In this respect, it is our opinion that specific tools should be developed for this 
task, e.g. an entanglement-based description specific to two-way QKD. In fact, any argu- 
ment too closely related to one-way QKD fails to capture all the peculiarities of two-way 
QKD, like the encoding on operators rather than on statesand the reverse reconciliation 
of the key. 

While we are aware that further studies are needed to make the LM05 protocol and 
two-way QKD in general viable for applications, we are also confident that the multi-way 
use of a quantum channel could play an important role in future developments of quantum 
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cryptography. 
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